Veracode Dynamic Analysis Helps You Check Your Security Headers
Veracode Dynamic Analysis helps you follow Google I/O 2018 security recommendations
I've been binging on the Google I/O 2018 videos. I guess every web geek does! One video caught my attention: Google Chrome security team's improvements to fight off the Spectre & Meltdown "celebrity" vulnerabilities. They're using software at the browser level to mitigate against a hardware vulnerability. How cool is that?
Just like Google, Veracode has been beating the drum on the importance of security headers here in 2012, 2013 and 2014. Google calls out Site Isolation feature, cross-origin read blocking, cookie restrictions, high resolution timers, and Google V8 JavaScript engine. Read more here.
However, Chrome security cannot make the web safer on its own. It needs web developers to help defend against Spectre vulnerability and future software vulnerabilities. For these goals, Chrome security recommends a bunch of website configuration best practices. This is where Veracode Dynamic Analysis comes in!
Best part, no new workflows! Just run your Dynamic Analysis scans as usual to verify your web developers are using the website configuration best practices. Checking these security headers is just one of the many vulnerability checks we have to help you safeguard modern web applications.
Veracode Dynamic Analysis checks the following security headers are set correctly. Some of these were called out by Google Chrome in their Google I/O 2018 talk.
| SECURITY HEADER | CWE ID | CWE NAME |
|---|---|---|
| X-Content-Type-Options | 16 | Configuration |
| X-Frame-Options | 16 & 693 | Configuration & Protection Mechanism Failure |
| Strict-Transport-Security | 16 | Configuration |
| Access-Control-Allow | 668 | Exposure of Resource to Wrong Sphere |
| Content Security Policy directives (including SameSite Cookie) | 352 | Cross-Site Request Forgery (CSRF) |
For more information on setting them up correctly and common misconfigurations, check out our blog post here.
How often do you hear the phrases “Zero Trust” or “Trust but Verify” bandied about? It’s so true in application security. We should enable our developers to do the right thing. But we have to verify, either before production releases or on a regular cadence in production. At Veracode, we happen to favor using our Dynamic Analysis for such purposes!
P.s. If you want to watch the Google I/O talk in full, see this YouTube link: https://www.youtube.com/watch?v=dBuykrdhK-A
Related Posts
